random- collection of un-sorted bollocks |
git clone git://git.acid.vegas/random.git |
Log | Files | Refs | Archive |
riseup.sh (6518B)
1 #!/bin/bash 2 # riseup vpn helper - developed by acidvegas (https://git.acid.vegas/random) 3 DEFAULT_PORT=0 4 DEFAULT_PROTOCOL=0 5 DISABLE_IPV6=1 6 ENABLE_KILLSWITCH=0 7 8 function disable_ipv6 { 9 if [ ! -f /etc/sysctl.d/99-vpn-disable-ipv6.conf ]; then 10 echo "net.ipv6.conf.all.disable_ipv6=1" > /etc/sysctl.d/99-vpn-disable-ipv6.conf 11 echo "net.ipv6.conf.default.disable_ipv6=1" >> /etc/sysctl.d/99-vpn-disable-ipv6.conf 12 echo "net.ipv6.conf.lo.disable_ipv6=1" >> /etc/sysctl.d/99-vpn-disable-ipv6.conf 13 sysctl -w net.ipv6.conf.all.disable_ipv6=1 14 sysctl -w net.ipv6.conf.default.disable_ipv6=1 15 sysctl -w net.ipv6.conf.lo.disable_ipv6=1 16 fi 17 } 18 19 function generate_config { 20 if [ $DEFAULT_PORT == 0 ]; then 21 CHOICE=$(dialog --clear --backtitle "RiseUp VPN Helper" --title "Connection" --menu "Select a connection port:" 20 60 20 1 "1194 (Recommended)" 2 "80" 3 "443" 2>&1 >/dev/tty) 22 clear 23 else 24 CHOICE=$DEFAULT_PORT 25 fi 26 case $CHOICE in 27 1) PROTO="1194";; 28 2) PROTO="80";; 29 3) PROTO="443";; 30 esac 31 if [ $DEFAULT_PROTOCOL == 0 ]; then 32 CHOICE=$(dialog --clear --backtitle "RiseUp VPN Helper" --title "Connection" --menu "Select a connection protocol:" 20 60 20 1 "UDP (Recommended)" 2 "TCP" 2>&1 >/dev/tty) 33 clear 34 else 35 CHOICE=$DEFAULT_PROTOCOL 36 fi 37 case $CHOICE in 38 1) PROTO="udp";; 39 2) PROTO="tcp";; 40 esac 41 echo "auth SHA256 42 auth-user-pass auth 43 ca ca.pem 44 cipher AES-256-CBC 45 client 46 comp-lzo 47 dev tun0 48 down /etc/openvpn/scripts/update-systemd-resolved 49 down-pre 50 group vpn 51 iproute /usr/local/sbin/unpriv-ip 52 mute 3 53 nobind 54 persist-key 55 persist-tun 56 proto $PROTO 57 remote vpn.riseup.net $PORT 58 remote-cert-tls server 59 reneg-sec 0 60 resolv-retry infinite 61 script-security 2 62 setenv PATH /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin 63 tls-client 64 tls-version-min 1.2 65 up /etc/openvpn/scripts/update-systemd-resolved 66 user vpn 67 verb 4" > /etc/openvpn/client/riseup/riseup.conf 68 } 69 70 function killswitch { 71 if [ -f /etc/iptables/vpn-rules.v4 ]; then 72 iptables-restore < /etc/iptables/vpn-rules.v4 73 else 74 iptables -F 75 iptables -X 76 iptables -Z 77 iptables -t filter -F 78 iptables -t filter -X 79 iptables -t mangle -F 80 iptables -t mangle -X 81 iptables -t nat -F 82 iptables -t nat -X 83 iptables -t raw -F 84 iptables -t raw -X 85 iptables -t security -F 86 iptables -t security -X 87 iptables -P OUTPUT DROP 88 iptables -P INPUT DROP 89 iptables -P FORWARD DROP 90 iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 91 iptables -A INPUT -i lo -j ACCEPT 92 iptables -A INPUT -i tun+ -j ACCEPT 93 iptables -A OUTPUT -o lo -j ACCEPT 94 iptables -A OUTPUT -d 172.27.0.1 -j ACCEPT 95 iptables -A OUTPUT -p -m --dport -j ACCEPT 96 iptables -A OUTPUT -o tun+ -j ACCEPT 97 iptables -A INPUT -s 192.168.1.0/24 -j ACCEPT 98 iptables -A OUTPUT -d 192.168.1.0/24 -j ACCEPT 99 iptables -A OUTPUT -j REJECT --reject-with icmp-net-unreachable 100 iptables-save > /etc/iptables/vpn-rules.v4 101 fi 102 if [ $DISABLE_IPV6 -eq 1 ]; then 103 if [ -f /etc/iptables/vpn-rules.v6 ]; then 104 ip6tables-restore < /etc/iptables/vpn-rules.v6 105 else 106 ip6tables -F 107 ip6tables -X 108 ip6tables -Z 109 ip6tables -t filter -F 110 ip6tables -t filter -X 111 ip6tables -t mangle -F 112 ip6tables -t mangle -X 113 ip6tables -t nat -F 114 ip6tables -t nat -X 115 ip6tables -t raw -F 116 ip6tables -t raw -X 117 ip6tables -t security -F 118 ip6tables -t security -X 119 ip6tables -P OUTPUT DROP 120 ip6tables -P INPUT DROP 121 ip6tables -P FORWARD DROP 122 ip6tables-save > /etc/iptables/vpn-rules.v6 123 fi 124 fi 125 126 } 127 128 function menu_auth { 129 USERNAME=$(dialog --backtitle "RiseUp VPN Helper" --title "Login" --inputbox "Username:" 8 50 2>&1 >/dev/tty) 130 PASSWORD=$(dialog --backtitle "RiseUp VPN Helper" --title "Login" --clear --passwordbox "Password" 8 50 2>&1 >/dev/tty) 131 clear 132 echo -e "$USERNAME\n$PASSWORD" > /etc/openvpn/client/riseup/auth 133 chmod 600 /etc/openvpn/client/riseup/auth 134 chown root:root /etc/openvpn/client/riseup/auth 135 } 136 137 function secure_dns { 138 if [ ! -f /etc/openvpn/scripts/update-systemd-resolved ]; then 139 mkdir -p /etc/openvpn/scripts 140 wget -O /etc/openvpn/scripts/update-systemd-resolved https://raw.githubusercontent.com/jonathanio/update-systemd-resolved/master/update-systemd-resolved 141 chmod 750 /etc/openvpn/scripts/update-systemd-resolved 142 fi 143 if [ -f /etc/nsswitch.conf ]; then 144 if ! grep -q "hosts: files resolve myhostname" /etc/nsswitch.conf; then 145 sed 's/hosts:.*/hosts: files resolve myhostname/' /etc/nsswitch.conf > /etc/nsswitch.conf 146 fi 147 else 148 echo "[!] - Failed to locate /etc/nsswitch.conf file!" 149 exit 1 150 fi 151 if ! $(/usr/bin/systemctl -q is-active systemd-resolved.service); then 152 systemctl start systemd-resolved 153 fi 154 if ! $(/usr/bin/systemctl -q is-enabled systemd-resolved.service); then 155 systemctl enable systemd-resolved 156 fi 157 } 158 159 function setup { 160 pacman -S dialog openvpn screen sudo 161 mkdir -p /var/lib/openvpn 162 if ! id vpn >/dev/null 2>&1; then 163 useradd -r -d /var/lib/openvpn -s /usr/bin/nologin vpn 164 fi 165 if [ ! $(getent group vpn) ]; then 166 groupadd vpn 167 fi 168 if ! getent group vpn | grep &>/dev/null "\bvpn\b"; then 169 gpasswd -a vpn vpn 170 fi 171 chown vpn:vpn /var/lib/openvpn 172 if [ -f /etc/sudoers ]; then 173 if ! grep -q "vpn ALL=(ALL) NOPASSWD: /sbin/ip" /etc/sudoers; then 174 echo -e "\nvpn ALL=(ALL) NOPASSWD: /sbin/ip" >> /etc/sudoers 175 fi 176 if ! grep -q "Defaults:vpn !requiretty" /etc/sudoers; then 177 echo -e "\nDefaults:vpn !requiretty" >> /etc/sudoers 178 fi 179 else 180 echo "[!] - Failed to locate /etc/sudoers file!" 181 exit 1 182 fi 183 if [ ! -f /usr/local/sbin/unpriv-ip ]; then 184 echo "#!/bin/sh" > /usr/local/sbin/unpriv-ip 185 echo "sudo /sbin/ip \$*" >> /usr/local/sbin/unpriv-ip 186 chmod 755 /usr/local/sbin/unpriv-ip 187 fi 188 if [ ! -f /etc/openvpn/openvpn-startup ]; then 189 echo "#!/bin/sh" > /etc/openvpn/openvpn-startup 190 echo "openvpn --rmtun --dev tun0" >> /etc/openvpn/openvpn-startup 191 echo "openvpn --mktun --dev tun0 --dev-type tun --user vpn --group vpn" >> /etc/openvpn/openvpn-startup 192 chmod 755 /etc/openvpn/openvpn-startup 193 fi 194 if [ -d /etc/openvpn/client/riseup ]; then 195 rm -r /etc/openvpn/client/riseup 196 fi 197 mkdir /etc/openvpn/client/riseup 198 wget -O /etc/openvpn/client/riseup/ca.pem https://riseup.net/security/network-security/riseup-ca/RiseupCA.pem 199 menu_auth 200 } 201 202 if [ $EUID -ne 0 ]; then 203 echo "[!] - This script requires sudo privledges!" 204 exit 1 205 fi 206 if [ ! -d /etc/openvpn/client/riseup ]; then 207 setup 208 generate_config 209 fi 210 secure_dns 211 if [ $DISABLE_IPV6 -eq 1 ]; then 212 disable_ipv6 213 fi 214 openvpn --cd /etc/openvpn/client/riseup --config riseup.conf 215 if [ $ENABLE_KILLSWITCH -eq 1 ]; then 216 killswitch 217 fi